Hello, On 2007.10.30., at 8:13, Arun S wrote:
Hi Attila,
I have a problem with tproxy4 that I downloaded from the given links.
Scenario 2: Testing SNAT with TPROXY:
The following ip and iptable rules are added: ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8080
iptables -t nat -A POSTROUTING -o eth0 -s 20.20.20.4 -j SNAT --to 95.75.75.104
Output:
[root@Arun-FC6-SQUID ~]# ./listIpt.sh POSTROUTING - NAT Chain POSTROUTING (policy ACCEPT 1254 packets, 167219 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * eth0 20.20.20.4 0.0.0.0/0 to:95.75.75.104
MANGLE Chain PREROUTING (policy ACCEPT 27667 packets, 2716681 bytes) pkts bytes target prot opt in out source destination 252 21872 DIVERT tcp -- * * 0.0.0.0/0 0.0.0.0/0 socket 0 0 TPROXY tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:8080 mark 0x1/0x1 Chain DIVERT (1 references) pkts bytes target prot opt in out source destination 254 21952 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x1 254 21952 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
In this case, SNAT is happening properly. But ACK is not happening as part of the three-way handshake. So the client hangs around till the timeout happens.
You didn't write what kind of TCP traffic doesn't work. If it comes from the LAN1 network and the destination port is 80, it will go to the TPROXY target to squid. All other traffic coming from the LAN1 is independent from the tproxy patches, also it should work. If the actual snat-ted traffic's local endpoint is the squid, it can bind to that IP address (to any IP if the TRANSPARENT sockopt is set).
Please find attached the sample-TPROXY server code with this.
That seems ok and it works in the first scenario. This is what I tested with netcat patched to use IP_TRANSPARENT socket option. But I didn't use SNAT because IP_TRANSPARENT lets the program bind to any IP address when it connects to any other server (this would be the server-side connection of the squid if the binding to foreign address is necessary). -- Attila